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Abstract 

Research  undertaken  under  AFOSR  Grant  87-0150C  is  described.  This  research  focuses  on 
specification  languages  for  multi-processor  systems,  with  particular  emphasis  on  applications  to 
Ada  software.  The  research,  however,  applies  generally  to  specifying  distributed  systems  con¬ 
taining  both  software  and  hardware  components,  and  to  software  systems  implemented  in  any 
programming  language.  The  primary  goals  are  (1)  design  of  a  high  level  specification  language  for 
distributed  systems,  and  (2)  design  and  development  of  prototype  tools  for  applying  this  language 
to  development  of  highly  reliable  multi-processor  Ada  software. 

This  effort  involved  research  into  basic  questions  concerning: 


•  event-based  models  of  distributed  (local  time  asynchronous)  computations, 

•  constraint-based  concurrent  specification  languages. 

•  realtime  specifications, 

•  methodology  and  support  tools  for  specifying  concurrent  programs, 

•  implementability  studies. 


Over  the  period  in  question,  this  research  effort  has  had  technical  impaict  in  the  following  areas 
(as  described  in  later  sections): 


1.  Formal  Ada  tasking  specifications 

2.  New  Prototyping  Languages 

.3.  Industrial  Tools  for  Process  Programming 
4.  Training  of  Ph.D.'s  for  industry  and  academia. 
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1  Description  of  Research  Undertaken 


Under  this  AFOSR  contract  we  have  developed  a  specification  language,  Task  Sequencing  Language 
(TSL).  for  specifying  Ada  tasking  programs.  TSL  is  a  language  in  which  constraints  on  patterns 
of  oehavior  of  a  distributed  program  can  be  expressed. 

A  major  concept  of  TSL  is  that  patterns  of  events  are  central  in  the  adequate  and  complete 
specification  of  multi-tasking  behavior  (i.e.,  behavior  involving  multiple  threads  of  control  simul¬ 
taneously). 

The  principaJ  constructs  in  TSL  are  aimed  at  making  it  easy  to  describe  sequences  and  other 
patterns  of  events  in  a  program  that  is  executing  on  many  processors  simultaneously.  Only  signifi¬ 
cant  events  need  be  used  in  constraints,  and  other  events  in  an  Ada  computation  can  be  omitted. 
Important  events  in  a  multi-tasking  program  may  include,  for  example,  communication  and  syn¬ 
chronization  events  between  separate  threads  of  control  (e.g.,  rendezvous  events  in  Ada  programs). 
Events  of  importance  can  then  be  combined  by  TSL  specification  constructs  to  define  required  (or 
erroneous)  patterns  of  behavior. 

A  second  major  concept  of  TSL  is  runtime  checkability.  TSL  is  designed  so  that  computation¬ 
ally  feasible  algorithms  exist  for  checking  consistency  between  a  TSL  specification  and  a  distributed 
computation  at  runtime.  The  rationale  for  checkability  is  to  develop  a  wide  range  of  applications 
to  concurrent  systems,  from  specification  and  requirements  analysis,  to  testing,  debugging,  and 
self-checking.  In  view  of  the  difficulty  of  verifying  correctness  of  concurrent  systems,  and  the  ab¬ 
sence  at  present  of  automated  proof  systems  for  concurrency,  self-checking  distributed  systems  is  a 
promising  practical  approach  to  the  pressing  problems  of  reliability  and  security. 

The  emphasis  on  checkability  does  not,  however,  conflict  with  formal  consistency  proof  applica¬ 
tions.  In  fact,  checking  and  proof  should  be  regarded  as  complementary  techniques  with  a  common 
basis,  namely,  both  methods  utilize  the  same  TSL  specifications.  Consistency  proof  methods  can 
be  applied  to  TSL  specifications  whenever  proof  rules  are  developed.  (Proof  rules  for  the  most 
recent  version  of  TSL  are  currently  being  developed.) 

During  1987,  the  design  of  TSL-1  was  completed.  TSL-1  is  based  on  an  observational  model 
of  a  distributed  computation  as  a  linear  stream  of  events.  TSL-1  implementations  support  both 
the  specification  and  testing  phases  of  tightly  coupled  concurrent  Ada  systems.  Basic  concepts  of 
TSL-1  have  been  deployed  in  SA/PDL,  an  Ada-based  simulation  language  developed  by  ID.A  for 
the  SDI  [12]. 

Support  tools  have  been  designed  for  TSL-1,  including  a  preprocessor  that  instruments  .\da 
programs  to  enable  tracing  of  tasking  events,  and  a  runtime  monitor  for  checking  consistency  be¬ 
tween  the  runtime  behavior  of  Ada  tasking  programs  and  TSL-1  pattern  specifications.  Preliminary 
experimental  implementations  of  these  tools  have  been  completed.  Our  experiments  and  publica¬ 
tions  show  that  the  TSL-1  runtime  monitor  is  a  very  powerful  debugging  tool  for  Ada  tasking 
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programs,  and  can  detect  subtle  error  situations  such  as  communication  protocol  errors  and  race 
conditions. 

Standard  debugging  tools  are  essentially  useless  for  detecting  such  errors  in  a  multiple  processor 
environment.  This  has  been  confirmed  in  class  exercises  to  debug  Ada  programs  at  Stanford.  Errors 
in  distributed  systems  are  far  too  difficult  to  detect  and  reproduce  by  old  fashioned  information 
gathering  after  the  error.  Instead,  we  have  pursued  the  alternative  of  using  TSL-1  for  specifying 
error  behavior  patterns.  Violations  of  such  specifications  can  be  automatically  detected  by  our 
runtime  monitor  tools  as  they  occur. 

During  1988-89  we  defined  a  formal  operational  semantics  for  TSL-1  [10].  This  report  can 
be  used  as  an  implementation  guide  in  constructing  runtime  monitoring  tools  for  TSL  or  similar 
pattern-constraint  languages. 

We  have  completed  implementation  of  a  pilot  TSL-1  toolset  on  a  multi  processor  Sequent 
Symmetry.  This  included  an  experimental  TSL-1  runtime  monitor  for  detecting  inconsistencies 
between  the  actual  behavior  of  a  distributed  Ada  system  and  TSL-1  specifications  of  the  behavior. 

We  have  formalized  the  complete  Ada  tasking  semantics  ([1,  §9])  in  TSL-1  [24]. 

We  have  experimented  with  using  the  formal  Ada  tasking  semantics  as  the  TSL  specification 
for  an  Ada  tasking  scheduler  running  on  a  Sequent  Symmetry  multi-processor.  Experiments  were 
performed  that  utilized  this  specification  together  with  the  TSL  monitor,  as  a  testbed  for  Ada 
schedulers  [24,27]. 

We  have  developed  a  theory  of  interference  by  runtime  monitors  on  distributed  computations 
being  monitored.  We  have  shown  that  the  TSL-1  monitor  does  not  interfere  with  the  underlying 
computation  in  ways  that  preclude  concurrency  errors  from  showing  up,  or  introduce  new  concur¬ 
rency  errors.  A  report  on  these  results  has  been  written  [9]. 

Also  during  1988-89  TSL-1. 5  was  developed  from  TSL-1  to  provide  a  more  powerful  specifica¬ 
tion  language  suitable  for  loosely  coupled  distributed  Ada  systems.  An  underlying  computational 
model  of  partially  ordered  sets  of  events  was  adopted  in  place  of  the  previous  linear  stream  model 
of  TSL-1.  Models  using  partial  orderings  are  being  adopted  generally  in  research  on  concurrency 
[23].  Semantics  based  on  partial  order  models  allow  TSL-1.5  to  express  causality  and  timing  (an 
event  causes  another  event  if  the  two  events  are  ordered),  as  well  as  concurrency  (two  events  are 
concurrent  if  they  are  not  ordered).  Ada  tasking  computations  on  multi-processors  conform  to  the 
partial  order  model.  A  draft  report  on  TSL-1.5  was  developed  [16]. 

Lastly,  in  1988-89,  further  development  of  TSL  tools  and  experimental  applications  were  un¬ 
dertaken  and  published. 

During  1989-90.  the  partial  ordering  model  was  applied  to  Ada.  The  partial  ordering  of  events 
informally  defined  by  the  Ada  Standard  [1]  was  formalized  and  published  [5]. 
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That  year,  a  timing  construct  was  added  to  the  TSL  specification  language.  Like  causality, 
timing  is  modeled  as  a  partial  ordering  of  events  (i.e.,  simultaneous  events  are  unordered). 

Also  in  1989-90,  the  prototype  implementation  of  the  TSL-1  preprocessor  and  runtime  monitor 
was  completed  and  a  simple,  interactive,  sou/ce-level  debugger  was  built  into  the  monitor.  To 
support  the  tools,  a  73  page  users’  guide  was  developed  [4].  (These  tools  are  now  available  on  the 
Internet.) 

Initial  work  on  pattern-based  mappings  as  a  means  of  expressing  abstraction  was  begun  during 
1989-90  and  preliminary  results  were  published  [20]. 

During  1990-91,  design  of  a  new  machine  processable  specification  language,  TSL-2,  for  dis¬ 
tributed  systems  was  begun.  TSL-2  is  evolved  from  previous  project  work  on  the  design  and 
implementation  of  TSL-1  and  the  design  of  TSL-1.5.  TSL-2  adds  a  few  new  constructs  to  TSL 
and  extends  the  semantics  of  the  existing  ones  to  enable  specification  of  the  most  general  forms 
of  distributed  computation,  and  also  to  specify  hierarchical  designs  of  concurrent  systems.  In 
particular,  this  work  has  involved; 


•  In  TSL-2  the  basic  pattern  language  for  expressing  constraints  has  been  improved  to  provide 
features  for  specifying  causality  between  events,  timing,  overlapping  events,  and  independence 
of  events  in  distributed  systems. 

•  The  semantics  of  TSL-2  is  defined  using  partial  order  models  of  distributed  computation. 

•  A  facility  for  behavioral  abstraction  was  added.  New  constructs  (not  in  previous  versions  of 
TSL)  for  expressing  hierarchical  decomposition  of  distributed  systems  were  developed.  This 
facility  is  based  on  the  concept  of  pattern  mappings  for  expressing  relationships  between 
different  levels  of  specifications.  Pattern  mappings  are  very  similar  to  pattern  constraints  so 
the  complexity  of  the  specification  language  TSL-2  is  not  increased. 


Beginning  in  1990,  basic  algorithms  for  efficient  reproduction  of  partially  ordered  distributed 
computations  were  researched,  a  report  was  written  [21],  and  a  prototype  implementation  is  under¬ 
way.  A  model  for  reproducing  the  partial  ordering  of  distributed  computations  has  been  worked  out 
by  Fidge  [7]  and  Mattern  [18].  (An  implementation  of  the  general  Fidge-Mattern  model  has  been 
completed.)  We  have  developed  algorithms  to  implement  the  Fidge-Mattern  model  which  we  be¬ 
lieve  will  overcome  the  computational  complexity  of  the  general  model.  Such  algorithms  are  critical 
in  implementing  tools  to  check  consistency  of  distributed  computations  with  TSL-2  specifications. 

A  first  application  of  pattern  mappings,  to  the  monitoring  of  VHDL  simulations,  was  imple¬ 
mented  [8].  This  will  permit  a  user  of  TSL-2  to  specify  a  level  of  detail  (e.g.,  instruction  set  level, 
register  transfer  level,  gate  level)  at  which  the  simulation  output  is  to  be  mapped  and  analyzed  for 
consistency  with  specifications. 
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Also  during  1990-91,  TSL-2  was  applied  in  new  research  on  language  design.  TSL-2  became 
the  basis  for  a  concurrent  specification  sublanguage  in  a  new  language  design  effort  to  support 
prototyping.  This  use  of  TSL  both  improved  the  expressiveness  of  time-sensitive  specifications  and 
strengthened  the  theory  of  event  patterns. 

Lastly,  new  benchmark  example  applications  of  TSL  tools,  illustrating  techniques  for  applying 
TSL-2  to  air  traffic  control  problems  are  being  developed,  and  the  toolset  was  extended  by  porting 
it  to  new  host  architectures.  Distribution  of  the  runtime  monitor  itself  was  inveoLigated. 


2  Application  of  TSL  in  other  research  efforts 


In  this  section  we  give  a  short  list  of  other  research  efforts  and  projects  in  which  TSL  is  being  used 
and  its  concepts  are  being  applied. 


1.  Ada  Performance  Measurements  TSL~1  tools  are  the  subject  of  proposed  subcontract 
from  Encore  Inc.  as  part  of  the  DARPA  strategic  computing  initiative.  It  is  proposed  that 
Stanford  port  the  TSL-1  tools  to  the  Encore  Multimax  computer  project  and  reengineer  them 
to  enhance  and  generalize  the  Encore  Parasight  multi-processor  performance  measurement 
facility. 

2.  Ada  Environment  Tools  TSL-1  monitoring  and  debugging  tools  and  TSL-2  specification 
analysis  tools  are  a  planned  component  of  the  integrated  analysis  tools  in  the  DARPA  Arcadia 
environment  effort. 

3.  Concurrent  Program  Monitors  A  distributed  implementation  of  TSL-1. 5  is  being  devel¬ 
oped  at  the  University  of  Bergen  in  Norway. 

4.  CAD  Tools  TSL-2  hierarchical  mapping  constructs  have  recently  been  incorporated  into 
a  specification  language  for  hardware  design,  called  VAL  [2],  associated  with  the  VHSIC 
project’s  VHDL.  Mappings  form  the  basis  for  a  prototype  implementation  of  a  VHDL  support 
tool  for  comparative  validation  of  VHDL  simulations. 

5.  Ada  Tasking  Specifications  TSL-1  has  been  used  by  Mitre  Corp.  in  the  design  and  specifi¬ 
cation  of  a  user  interface  [6].  More  recently  Mitre  is  proposing  projects  in  software  engineering 
environments  in  which  TSL  is  a  component  technology  for  concurrency  specifications. 

6.  Object-Oriented  Concurrency  Specifications  The  possibility  of  using  TSL-2  as  the 
concurrency  specification  sublanguage  in  the  European  ESPRIT  project.  Dragoon  [17],  in 
place  of  Deontic  Logic,  has  been  proposed  by  the  project  leader.  Prof.  S.  Crespi-Regizzi  of 
Politechnico,  Milan;  we  have  not  received  any  firm  decision  as  yet. 

7.  Software  Process  Specifications  TSL-1  concepts  are  being  applied  to  industrial  problems 
at  AT&T  Bell  Labs.  Particular  applications  undertaken  by  D.  S.  Rosenblum  of  AT&T  include: 


.5 


•  development  of  experimental  tools  for  monitoring  operating  system-level  events  for  con¬ 
sistency  with  event  pattern  specifications.  For  each  specification,  a  specified  action  is 
taken  whenever  the  specified  event  pattern  occurs.  In  a  current  prototype  implementa¬ 
tion,  the  events  of  interest  are  Unix-level  events  such  as  file  modification,  passage  of  time, 
users  logging  in,  etc.,  and  the  action  component  is  a  Unix  command  sequence  [11,26]. 

•  possible  development  of  high-level  event-pattern  specification  monitoring  of  telephone 
networks,  replacing  the  current  system-level  event  monitoring  capabilities. 

8.  Prototyping  Languages  TSL-2  has  had  a  significant  impact  in  the  area  of  prototyping 
languages.  A  new  programming  and  design  language  is  being  designed  by  the  Stanford/TRW 
team  during  phase- 1  of  the  DARPA  initiative  on  “New  Language  for  Rapid  Construction  of 
Software  Prototypes”  [3,21,22].  Major  features  of  the  language  include:  object-oriented  type 
model,  first-order  logic  specifications,  concurrency  specifications,  and  pattern-based  process 
invocation.  TSL-2  has  been  adopted  for  use  in  both  concurrency  specifications  and  pattern- 
based  process  invocation.  This  use  of  TSL  constructs  has  resulted  in  further  development  of 
TSL’s  pattern  and  specification  features: 

•  The  ability  to  describe  time-critical  and  time-sensitive  computations  was  improved. 

•  Specifications  are  currently  being  developed  into  an  algebra  including  theories  of  check¬ 
ability,  substitutability  and  proof  rules. 


3  Presentations  of  TSL  and  TSL  research  results 

1.  D.C.  Luckham,  Tri-,4da  "88  International  Conference.  Special  Session  on  Innovative  .Ada 
Technology,  October  1988. 

2.  D.C.  Luckham,  Formal  Methods  Workshop  1989,  Halifax,  Nova  Scotia,  July  1989. 

3.  S.  Meldal,  Specifying  and  Observing  Concurrent  Programs^  Third  International  Workshop  on 
Large  Grain  Parallelism,  Carnegie  Mellon  University,  Pittsburgh,  October  1989. 

4.  D.L.  Bryan,  An  Algebraic  Specification  of  the  Partial  Orders  Generated  by  Concurrent  Ada 
Computations,  presented  at  Tri-Ada  ’89  International  Conference,  October  1989  [5]. 

.5.  D.S.  Rosenblum  and  D.C.  Luckham,  Testing  the  Correctness  of  Tasking  Supervisors  with  TSL 
Specifications,  presented  at  the  ACM  SIGSOFT  '89  Third  Symposium  on  Software  Testing, 
Analysis,  and  Verification  (TAV3),  December  1989  [27]. 

6.  D.C.  Luckham,  Invited  Lectures  on  Rigorous  Methods  in  Software  Engineering,  Software 
Engineering  Institute,  Carnegie  Mellon  University,  April  1990. 

7.  D.C.  Luckham,  .ACM  International  Workshop  on  Formal  Methods,  invited  lecture,  “Compro¬ 
mises  and  .New  Directions  in  Formal  .Methods”,  .Napa.  Calif.,  May  1990. 
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8.  S.  Meldal,  Supporting  Architecture  Mappings  in  Concurrent  Systems  Design,  Australian  Soft¬ 
ware  Engineering  Conference,  Sydney,  May  1990  [20]. 

9.  F.  Belz  and  D.C.  Luckham,  A  New  Approach  to  Prototyping  Ada-Based  Hardware/Software 
Systems,  presented  at  Tri-Ada  ’90  International  Conference,  December  1990  [3]. 

10.  J.  Mitchell,  S.  Meldal  and  N.  Madhav,  .4n  Extension  of  Standard  ML  Modules  with  Subtyp¬ 
ing  and  Inheritance,  presented  at  the  ACM  Conference  on  the  Principles  of  Programming 
Languages,  January  1991  [22]. 

11.  D.S.  Rosenblum,  An  Overview  of  TSL,  A  Language  for  Specifying  and  Debugging  Concurrent 
Programs,  IEEE  Software,  May  1991  [25]. 

12.  S.  Meldal,  S.  Sankar  and  J.  Vera,  presentation  at  the  Tenth  Annual  ACM  Symposium  on 
Principles  of  Distributed  Computing,  Exploiting  Locality  in  Maintaining  Potential  Causality, 
August  1991  [21]. 
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